Data retention and VPN logging in the United States

Unlike Europe with its draconian Data Retention Directive, the United States does not have a mandatory data retention law. However, if an ISP or VPN provider does retain any data relating to its customers (i.e. it keeps logs) then according to the Stored Communications Act it is required to hand these over on receipt of a court order from a law enforcement agency. In addition to this, if investigators or prosecutors are able to identify an individual, they can require a VPN company to keep records of that individual’s on-line activity, credit card payments etc. for a limited amount of time (90 days, renewable for another 90 days).

The Digital Millennium Copyright Act (DMCA)

This copyright law came into force in 1998 and criminalises all infringement of copyright material and any attempts to bypass copyright protection measures (i.e. DRM Digital Rights Management), even if no actual copyright infringement takes place.

The most well-known facet of this act is the DMCA Takedown Notice, which exempts an ISP (or VPN provider) from the Act as long as, upon receiving a valid complaint from a copyright holder that their intellectual property is has been violated, it “responds expeditiously to remove, or disable access to, the material that is claimed to be infringing.”

Most VPN companies who can identify the customer responsible for a notice will threaten the user with termination of service (and if the behavior continues will carry out this threat).

In addition to a Takedown Notice, lawyers (most notably working on behalf of the entertainment industry or copyright trolls) may demand that a VPN provider (or ISP) identify the individual in order to prosecute them under the Digital Millennium Copyright Act. In theory a court order needs to be obtained to force a VPN provider into doing this, but because these orders are quite easy to get, and because VPN providers do want costly and time wasting legal wrangles, many choose to comply without a fight.

Most US VPN companies keep logs

They do this for a number of reasons:

By co-operating with the authorities and with legal requests they avoid lengthy and expensive legal wrangling, and by identifying individual offenders they move the responsibility away from themselves onto the offender

To protect themselves from retroactive changes to the law. Just because a provider is acting within the law as it stands, does not guarantee it will not face prosecution. A good example of this LimeWire, who were successfully sued for “inducing infringement”, even through no such crime existed at the time of the ‘offence’ taking place

As a consequence of these pressures, most US VPN providers prefer to keep in the good books of the authorities, and therefore keep logs and co-operate with both copyright enforcement lawyers and law enforcement organizations.

Companies who keep no logs and use shared IPs

As we noted at the beginning, there is no requirement in the US for VPN providers to keep logs. It is also possible to use shared IPs, which makes it impossible to individually identify an individual with copyright abuse or other online activity. Some companies (such as Private Internet Access) do take advantage of this, and can quite legitimately refuse to take any action when presented with a Takedown Notice or court order, citing the fact that they have no records to hand over and, thanks to use of shared IPs, cannot identify an individual anyway.

The following statement from a spokesperson at Private Internet Access is telling however,

“The future of the Internet is at risk, with many entities all around the world attempting to take away the freedoms and liberties of the citizens of the world, including people like ourselves and our clients. Our ultimate dream is to protect these freedoms and liberties, as well as the rights to free speech and uncensored access to data on the Internet, which has helped drive prosperity unbeknownst to society.

However, the MPAA has cast a dark shadow on the Internet. We are regretful to inform our subscribers that any BitTorrent activity must now be conducted on our Swiss and other offshore gateways. We have received too many abuse and copyright infringement complaints on our US and UK gateways which has forced us, in order to protect our customers, to this policy change. We do not log our users’ network traffic in any way, shape, or form. Your privacy and anonymity is our absolute #1 priority.

However, please rest assured! We still allow P2P activity, including BitTorrent amongst other protocols, to occur on our network. However, if you wish to engage in P2P, once again, please use our offshore gateways.”

Some companies, even when based overseas, have gone even further and exempt US servers from their normal no logs policy (PrivatVPN for example is a Swedish company that normally “don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service” but has stated that “we’re logging IP addresses and time stamp on the incoming connection for our U.S. servers. We offer no anonymity on our U.S. servers”).

The message is clear: even companies dedicated to maintaining their user’s anonymity are facing huge and mounting pressure in the US, to the point where they can no longer guarantee protection for their customers when using US servers.

The future (is looking dark)

Attempts to introduce mandatory data retention laws have so far failed, but it comes as no surprise that further attempts are in the works, the most notable of which are PCFIPA and CISPA.

Protecting Children from Internet Pornography Act of 2011

Riding a wave of public anxiety about paedophilia, the PCFIPA’s scope has deeply worried civil liberties groups (including the Electronic Frontier Foundation, The American Library Association and the American Civil Liberties Union). It will require ISPs to retain customers IP addresses, phone numbers, credit card details, bank account numbers, dynamic IP addresses and information on all web sites visited.

While these may on the face of it seem reasonable measures aimed at preventing a heinous crime, it should be noted that of the 272.1 million internet users in the United States, only 10,000 child pornography consumers are known to exist (0.0000037%). Even assuming that many more exist undetected, this is still ridiculously small percentage of the nation’s internet users.

When you also consider that legislation (e.g. the Protect Our Children Act of 2008) is already in force which allows police to access and collect information on suspected child pornographers, it becomes clear that this bill is wildly disproportionate in its sweeping attack on the personal freedoms of US citizens.

Data retained under the bill will be available to law enforcement officials for any issue (i.e. not limited to issues relating to child pornography), requiring only probable cause and a warrant. As Kevin Bankson, attorney for the EEF (Electronic Frontiers Foundation) said, “The data retention mandate in this bill would treat every Internet user like a criminal and threaten the online privacy and free speech rights of every American…”

How the PCFIPA will affect VPN services located inside the US is unclear at this point, but it is likely they will be subject to it should the bill be passed into law. At present the bill has passed the United States Judiciary Committee, and awaits a debate in the House of Representatives.

Cyber Intelligence Sharing and Protection Act

As the name suggests, CISPA is nominally aimed at preventing cyber-threats to national security by allowing technology companies to freely share private user information deemed related to ‘cyber security’ with the National Security Agency (NSA).

The main problem with the bill is that there is no public accountability or judicial oversight, leaving companies free to share whatever information they like with an organisation that acts in secret (the NSA). This is due to the bill’s use of language which is so broad that pretty much anything could be defined as be ‘cybersecurity purposes’.

What happens now is unclear, although it is believed that legislators are looking into alternative legislation to address national cybersecurity concerns but which pose less of a threat to civil liberties. However, CISPA has already been though a dead duck, only to return with a vengeance before, and it is entirely possible that we have not seen the last of it.

Conclusion

Despite having no data retention laws (yet), the United States remains very problematical when it comes to on-line privacy. Thanks to legal pressure from anti-piracy lawyers and lobbyists, and heavy handed treatment at the hands of law enforcement and national security organisations, most US VPN providers have opted for the easy route, keeping logs and handing them over to interested parties with little or no resistance.

This is not universally the case however, as there are some VPN providers who do stick to their guns and refuse to keep logs (Private internet Access is prominent in this regard). However as noted above, even these companies are struggling under the legal pressure placed on them, and it is highly recommended that P2P or other activity you would prefer remain anonymous be performed using servers outside the US.

Written by Pete ZaborszkyPete runs Best VPN and wants to get detailed information to the readers. He is dedicated to being the best and providing the highest quality at anything he does. You can also find him on Twitter or Google+

IMO IPVanish is ok, but there are better providers out there (and we do receive some complaints about customer service.) IPVanish can legally keep no logs as the US has no compulsory data retention laws., although as with all US privacy orientated companies, I would assume that it is monitored by the NSA…

What happens when using a VPN service based in US but the server connected is outside, for example Thailand?
Are VPN companies client software connecting directly to the servers or via the US based servers first then the server in Thailand? So if there were logs in the Thailand server, traffic could be tracked to the US server then to the user’s IP?

The VPN client software connects directly to the server in Thailand. However, under both the Patriot Act and FISA, US companies can be legally compelled to hand over data even if it resides (and always has) on servers outside the United States, something that Microsoft is currently in conflict with the government over (bestvpncom.wpengine.com/blog/10850/microsoft-resists-giving-overseas-emails-to-us-government/). In addition to this, if someone such as the NSA wants the data, they will happily stoop to hacking foreign servers and other dirty tricks. Basically, if logs exist then they can be accessed by someone powerful enough.

Good to know that some companies like private Internet access aren’t rolling over to the lawyers and interest groups with deep pockets. Still, its scary the direction this country is heading. The NSA and other organizations claiming that they are only interested in national security are either lying it very, very misinformed about how the Internet works. There are plenty of ways for criminals and terrorists to communicate in secret over the Internet that can never be stopped (PGP takes a hours to master). amatures.